New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks

Last year, we saw the Fanta SDK malware target Russian bank Sberbank users and employ unique defensive measures. Now, another bank malware family has appeared, targeting even more Russian banks while using new and evolved obfuscation techniques. This family is named FakeBank, and so far the related samples we have collected number in the thousands. These samples show that the malware targets not only Sberbank, but also other Russian banks like Letobank and the VTB24 bank. Our samples have random package names and pose mostly as SMS/MMS management software to lure users into downloading them. The table below shows the samples’ names:

App names

English Translation of Russian Names

SMS_S

SMS_S

SMS_MMS

SMS_MMS

ММС – Пoсланиe

ММС – Send

ММС – Сообщениe

MMC– Message

Посланиe

Messenger

Соoбщение

Composition

Фoтo

Photo

CМC – Фотo

CМC – Photo

СMС – Соoбщение

СMС – Composition

СMC – Послание

СMC – Message

Table 1. Names of the banking malware samples

Actually, these advertised SMS management capabilities are turned against the victim. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems.

The banking malware have spread mainly across Russia and other Russian-speaking nations. The table below shows a list of detections per country.

Figure 1. Top countries where samples were detected; there were detections in other countries but they totaled less than 1%

Intercepting SMS leads to transferring funds

The malicious app can control an infected user’s open and close network function and also silently connect to internet. This means that it can send information to its command and control server (C&C) without the user’s knowledge. It also inspects the device for anti-virus software, and if detected, will exit without executing any malicious behavior. This is a tactic that helps it remain unreported and under the radar.

The malware also steals information from the device and uploads it to the C&C server. The sensitive data collected includes: users’ phone numbers, a list of installed banking apps, the balance on any linked bank card, and even location information.